|Line 22:||Line 22:|
== More secure Smart Card support
== More secure Smart Card support ==
Revision as of 05:06, 23 September 2014
<para>Beginning in Fedora 21, a system-wide crypto policy will be available for users to quickly setup the cryptographic options for their systems. Users that must meet certain cryptographic standards can make the policy change in <filename>//etc/crypto-policies/config</filename>, and run update-crypto-policies. At this point applications that utilize the default set of ciphers in the GnuTLS and OpenSSL libraries will follow the policy requirements.</para>
<para>The available options are: (1) <literal>LEGACY</literal>, which ensures compatibility with legacy systems - 64-bit security, (2) <literal>DEFAULT</literal>, a reasonable default for today's standards - 80-bit security, and (3) <literal>FUTURE</literal>, a conservative level that is believed to withstand any near-term future attacks - 128-bit security. These levels affect SSL/TLS settings, including elliptic curve, signature hash functions, and ciphersuites and key sizes.</para>
<para>Additional information on this new feature can be found on the <ulink url="https://fedoraproject.org/wiki/Changes/CryptoPolicy">CryptoPolicy Changes wiki page</ulink>.</para>
systemd PrivateDevices and PrivateNetwork
Fedora is now more secure, as many long-running systemd services now run with physical device access and/or network access turned off. See  (NOTE:xref)
Starting with Fedora 21, all packages built by GCC will compile with the flag *-Werror=format-security* . While this change has no user-visible change, it represents a substantial effort by Fedora packagers to protect your system from an entire class of vulnerability.
You can learn more about the security issues mitigated by Fedora's defensive security practices at https://fedoraproject.org/wiki/Format-Security-FAQ
More secure Smart Card support
The PCSC daemon in Fedora 21 allows for fine grained access control to smart cards that is tied to the system processes rather than solely depending on the smart card controls. That is the polkit framework is being used to decide access on the smart card.
In addition a default policy file is shipped with Fedora that restricts access to smart cards in a system to the console users and the administrator only. The shipped policy can be modified by editing the file at /usr/share/polkit-1/actions/org.debian.pcsc-lite.policy.
Additional documentation on the PCSC policies is provided in /usr/share/doc/pcsc-lite/README.polkit